Powering Automation Through Darknet Intelligence with DFLabs and DarkOwl

Back to all articles

darknet intelligence

Having the ability to quickly detect indicators of a breach is of utmost importance for modern day organizations. Unfortunately, the sophistication of today’s threats will often leave indicators of their presence hidden for long periods of time before they are finally discovered, and usually once an organization has uncovered these breaches of their security, it is too late.

The Problem

A large majority of today’s incident research is performed on the internet. However, the bad guys only do a small percentage of their work on what is known as the surface web, leaving most indicators of their activity just out of reach of the security professionals looking to hunt them down. These indicators are often found on the deep web or darknet, and because these areas of the internet are not indexed, incident responders often do not have quick access to this information.

The lack of access to this valuable incident data causes security professionals to make split-second decisions based on incomplete information, which could lead to misidentifying a threat as benign or wasting valuable time on false positive alerts. Without reliable reconnaissance, incident responders will continue to struggle to identify threats towards their organizations and fail to respond in a timely manner necessary to prevent their assets from being breached.

Today, security professionals are often left asking themselves a number of questions, looking for the appropriate answers and relevant solutions for their organization.

  • How can my organizations gather more relevant incident indicators to aid our security team during investigations?

  • How can we utilize the darknet for incident investigation when it is not indexed and organized like the surface web?

  • How can we lower the risk of misidentification of potential incidents?

The DFLabs and DarkOwl Solution

The integration between DFLabs and DarkOwl provides organizations with the means necessary to confidently detect and quickly respond to an incident by employing the data rich content found on the darknet through the use of DarkOwl Vision and the automation and orchestration capabilities of DFLabs’ IncMan SOAR solution.

DarkOwl Vision continuously collects, indexes, archives, and ranks dark intelligence data (DARKINT™) which is then used by IncMan’s R3 Rapid Response Runbooks to take automated action against a potential threat. These automated actions - fueled by access to real-time darknet content - gives security professionals the edge they need to stay ahead of their adversaries.

About DarkOwl

DarkOwl is the world’s leading provider of DARKINT, darknet intelligence. DarkOwl Vision, the world’s largest commercially available database of darknet content, provides the means to efficiently detect the presence of proprietary information on the darknet and mitigate damage prior to the misuse of sensitive data.

The DarkOwl Vision engine automatically, continuously, and anonymously collects, indexes, and ranks darknet, deep web, and high-risk surface net data. By collecting and storing data in real-time, darknet sites that frequently change location and availability can be queried in a safe and secure manner without having to access the darknet itself.

Use Case

Now, let’s look at a simple use case in action.

A data loss prevention (DLP) alert is received by IncMan indicating that files were potentially being copied from an Amazon S3 bucket to an unidentified FTP server. Upon receiving the alert, the data exfiltration R3 Rapid Response Runbook within IncMan is executed and begins to gather incident enrichment data surrounding the unidentified FTP server.

This data includes IP addresses and any domain information which is then sent to a reputation service to identify whether the FTP server in question can be considered malicious. If either of these artifacts are found to have a negative reputation score, the R3 Rapid Response Runbook will split off into three separate tasks to be run consecutively. A call will be issued to the organization’s firewall to block both the IP address and its associated domains, a query will be sent to AWS Security Hub to gather any additional incidents involving the malicious IP address or domain, and a query will be sent to DarkOwl to indicate whether any company information can be found on the darknet. If there were additional events observed, these event IDs will be added to the incident as incident artifacts, a new AWS insight will be issued with this information, and a new ticket will be created in the organization’s ticketing system for the AWS team.

If any proprietary data belonging to the organization is found when DarkOwl is queried, the accounts or data recovered will be added to the incident as an artifact, the priority of the incident will be upgraded to critical, and a new incident response ticket will be issued to the incident responders to begin incident response procedures.


The DFLabs and DarkOwl solution arms security professionals with valuable incident indicators and the automation capabilities necessary to rapidly detect and respond to a potential incident.

The critical information provided by DarkOwl’s darknet, deep web and high-risk surface web threat intelligence, enables incident responders to utilize DFLabs’ IncMan SOAR automation power to quickly triage and act upon a malicious threat, and keep their organizations protected from today’s sophisticated threats.

These threats require immediate action which can oftentimes be delayed due to incomplete information and lack of manpower. By pairing DarkOwl’s darknet content with IncMan’s automated runbooks, security professionals gain a force multiplier for their organization, to help protect their businesses and assets in today’s widely expanding threat landscape.

Keep an eye out for our upcoming webinar together with Dark Owl, where we will be doing a deep dive into the integration to show the features and capabilities in more detail.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo